Amazon EKS cluster public endpoint access and OpenVPN route issue
When you create an EKS cluster, AWS creates an EKS cluster public endpoint address something like ACB6D2xyzC0ADBDA7833C.sk1.eu-west-1.eks.amazonaws.com This DNS record returns two IP addresses.
$ host ACB6D2xyzC0ADBDA7833C.sk1.eu-west-1.eks.amazonaws.com
ACB6D2xyzC0ADBDA7833C.sk1.eu-west-1.eks.amazonaws.com has address 5.195.16.196
ACB6D2xyzC0ADBDA7833C.sk1.eu-west-1.eks.amazonaws.com has address 18.203.6.19Unfortunately, these IPs are not static (Elastic IP) it can be changed time to time. It is fine you don't apply any restriction to access this endpoint.
But in my case, I only allow access to endpoint from OpenVPN running inside the VPC. I was assuming that these IPs will never change, and I was pushing routes to the VP clients in OpenVPN config.
But it seems IPs are changing too fast more than before. It is not a good solution to change VPN route every time.
I found the solution with allow-pull-fqdn parameter in VPN client config.
allow-pull-fqdnThis parameter allows the client to pull DNS names from the OpenVPN server. This option cannot be pushed and needs to be added to the client configuration itself.
Example config(two lines):
allow-pull-fqdn
route ACB6D2xyzC0ADBDA7833C.sk1.eu-west-1.eks.amazonaws.com 255.255.255.255When you add this config, the OpenVPN client will query DNS and push IPs to the OpenVPN route.
Please note that, if the IPs are changed while you are connected to the VPN. You must stop/start VPN client.
PS: You can vote https://github.com/aws/containers-roadmap/issues/1155 to have Elastic IP for EKS endpoints :)
Ismail YENIGUL
Devops Engineer
